Meraki Systems Manager is an industry leading cloud EMM (Enterprise Mobility Management) platform that can be used for managing mobile devices across all types of education deployments. This document reviews recommended best practices and outlines steps required to configure Meraki Systems Manager using the Meraki Dashboard (http://dashboard.meraki.com) for education deployments.
Please consider the following when rolling out your mobile deployments:
Decisions on the above criteria will drive your Meraki Systems Manager configuration. The following sections talk about generic use-cases and deployment methodologies. Please contact Meraki sales if you have further questions.
There are a few key concepts in Systems Manager, and it is helpful to understand them before setting up anything in your network. Thinking about these things beforehand will make your initial deployment and ongoing management much simpler.
The first of these items is access rights. By default, Systems Manager will grant administrators the maximum amount of control available when applied to enrolled devices. However, in bring-your-own-device (BYOD) environments, device owners may not want administrators having this level of control.
Systems Manager can be customized to meet the needs of different deployment models by changing the permissions of what can be retrieved from or sent to the device. It is important to note that Access Rights must be set before devices are enrolled; changes made after enrollment will only take effect if a device is reenrolled.
Systems Manager > MDM > Add devices
Tags are used to group devices within Systems Manager. These tags are used to define the apps, controls, and settings provisioned by Systems Manager.
There are two main types of tags: static and dynamic.
When tags are applied at the owner level, SM relies on a user database to manage these tags. This database can also be used to authenticate a device owner upon enrollment, which provides an extra layer of security. Authentication can be done via Active Directory integration, or using Meraki hosted owners/accounts (see SM Enrollment Authentication for more information). When a user authenticates on a device, their owner groups or AD groups will automatically be applied as tags to devices they own. This is one example of dynamic tags.
Dynamic tags can also be applied based on time of day (schedule), physical location (geofence), or security posture. These policy-based tags are automatically applied to devices based on their state. For more information on these types of tags, please refer to the documentation below:
In addition, tags are used to scope or group devices, and apply profiles and push content accordingly. Scoping can be done with boolean logic which allows highly granular application of functionality to a device. The example below shows scoping for an App, but the same method would be used to scope other things, like profiles.
Scoping app installation with tags
For a detailed explanation of tags, the available dynamic and static tags, or how to evaluate tags with boolean expressions; then please visit the following documentation reference:
Before devices can be managed within Systems Manager, they have to be enrolled in your EMM network. There are different types of enrollment that can be used to meet the needs of different device types or deployment models. For example, while the simplicity of a fully automated enrollment is ideal, this method does not suit BYOD deployments, and isn’t compatible with all devices.
As mentioned previously, to provide an extra layer of security regarding which devices are able to enroll in Systems Manager, you can require authentication upon enrollment. Authentication is compatible with all types of enrollment, and there are additional benefits beyond security. First, enrollment authentication ties an owner to a device automatically. Second, enrollment authentication ties a user’s groups (either LDAP or Meraki Managed) to all of their devices as dynamic tags, for automatic grouping.
Authenticating prior to SM enrollment
With fully automated enrollment, a device will be enrolled into Systems Manager automatically, and can be configured so the user has no option to cancel or prevent the enrollment. In addition to this, the device will automatically have apps, controls and settings provisioned based on the person using the device (device owner) with no direct user or administrator configuration required.
This type of enrollment allows for the highest levels of EMM control, and is only possible with iOS ans OS X devices that are eligible for Apple’s Device Enrollment Program (DEP). Automated enrollment can reduce the administrative cost of deploying devices significantly, with the benefits increasing with the numbers of devices being deployed.
With DEP, devices can be directed by Apple to install Systems Manager when the user first opens the box and powers on the device. This eliminates all pre-staging and the need for Apple Configurator.
Partially automated enrollment supports a wider range of devices (for example iOS devices which are not enrolled in DEP) and can be completed by the end user or by an administrator pre-staging the device.
As with automated enrollment, two core functions are performed: The installation of the Systems Manager profile, app, or agent to the device, and the configuration of apps, settings, and controls.
The installation of the Systems Manager components can be performed by a user or the administrator by visiting http://m.meraki.com and following the instructions. To reduce the administrative workload, this can be done by the device user.
Meraki wireless products can be integrated with Systems Manager, to simplify and automate this process for the end user. This feature, called Systems Manager Sentry enrollment, checks all connecting devices and forces the clients to go through the on-boarding process through http://m.meraki.com if it detects that they don’t have Systems Manager installed.
Systems Manager > Wireless > Configure > Access control
Integration with a user database and owner assignment can be accomplished without DEP or User Authentication. It is a more manual process without authentication, but it does allow mixed device types to be assigned to a user.
Systems Manager > Configure > Owners > User account
With manual enrollment, the widest range of devices can be supported as there isn’t a reliance on vendor or platform specific features. This type of enrollment is often suitable for BYOD environments. Installation of the Systems Manager components can be performed by a user or the administrator by visiting http://m.meraki.com and following the instructions. Manual enrollment doesn’t require a user database, and tags used to configure devices can be assigned by the administrator in the Meraki dashboard.
When a user visits http://m.meraki.com in this configuration they will be asked to enter a network number:
Entering the unique Systems Manager network ID
This number allows the on boarding process to know which Systems Manager network the device should be joined to. The network ID and distribution options (email, SMS, or QR code for the end-user) can be found in Dashboard:
Dashboard > MDM > Add devices > On-device setup
Systems Manager > MDM > Add devices > Other options
App management scopes which applications will be added to which devices, and installs them accordingly. Native (built-in) applications on devices provide functionality for managing everyday activities - like e-mail, calendars, contacts, and web browsing. For increased productivity and functionality on top of native applications on devices, there are hundreds of thousands of third-party apps that are available in the Apple App Store and the Google Play Store, as well as applications for Windows and macOS devices.
There are several ways to distribute apps and apps licenses to devices, as well as options to scope your devices in the Meraki Dashboard. The following sections will go over suggestions and examples for grouping devices and distributing apps in the Meraki Dashboard.
There are several considerations for distributing applications based on the device, and type of application. For mobile devices, there are public apps, like those found in the App Store and Google Play store, and there are private apps, like custom or enterprise iOS and Android apps.
To add applications to your Meraki Dashboard, navigate to Systems manager > MDM > Apps. Next, click the Add new button, on the far right hand side, as shown below, and choose the appropriate app type:
Systems Manager > MDM > Apps
With Apple’s Volume Purchasing Program (VPP) it is possible to bulk purchase licenses for iOS and macOS applications. This is particularly useful in education where groups of students or staff will all need the same application.
With a configured VPP account, the applications that you have purchased are displayed in the Meraki dashboard. This single view makes it easy to keep track of all of your apps and how many licenses have been assigned.
Systems Manager > MDM > VPP
Systems Manager supports and fully integrates with all of Apple's methods of deploying VPP apps - managed distribution and redeemable codes. With managed distribution, users are invited to receive VPP apps through their Apple ID. This license can be revoked at any point, and transferred to another user. Thus, the distributing organization retains full ownership and control of purchased VPP apps. With iOS 9, Apple released the ability to assign apps to devices using serial numbers, thereby eliminating the need to have an Apple ID on the device, or manage VPP users.
Systems Manager > MDM > Apps
For more information about deploying VPP licenses to iOS devices, please view the following article on Deploying VPP Apps.
In an educational environment it is often necessary to limit the availability of some of features, or configure others. These can be restrictions, like disabling the camera, or other settings, like Wi-Fi or AirPlay. Restrictions or settings can be collected together into a profile, and devices can have multiple profiles applied to them.
Multiple profiles allow granular device restrictions and simple management
Applying restrictions or settings to a device with Systems Manager works in the same way as other functions of Systems Manager - tags are used to scope which devices get which features. This allows for a highly granular or a hierarchical approach to applying restrictions to devices. In an education environment, you may want to create base or global profiles that apply to a larger group of devices, like “Student” or “Staff”, then more specific profiles targeted at smaller groups, like “5th Grade” or “Science”. This eliminates the need for administrators to maintain global or base settings in multiple profiles for each device use case. This profile can then be updated in the future and all associated devices will automatically update. If a device receives multiple profiles where the policies have conflicting settings, the more restrictive settings apply.
Systems Manager > MDM > Profiles > Add New
Assigning a profile to devices in Dashboard uses the same scoping method as discussed earlier. Profiles can be scoped to static or dynamic tags. Dynamic tags reduce the work required to manage a large number of devices, while also providing automated control. For example, if a device is not physically at school, then it can have the school restrictions removed for home use through the Geofencing feature. Further information on Geofencing is available here.
For further detail on how to configure profiles please visit the following documentation article here.
The restrictions that are available vary by device platform, where iOS has the most options for feature restrictions. An example of a global school policy that could be implemented on all devices is the restriction of the use of the camera. This restriction could be included in an organization-wide profile applied to all student devices:
Systems Manager > MDM > Settings > Restrictions
When iOS devices are supervised (either through DEP or Apple Configurator), additional restrictions become available. Supervision offers greater control of the device. Single App Mode is a good example of a more restrictive control.
Dashboard > MDM > Settings > Restrictions
In Single App Mode, the iOS device can be restricted to allow only one app to be used on the device. This locks down the device and prevents any other activity from being performed.
This functionality is also available for Samsung KNOX capable Android devices using the ‘Kiosk Mode’ feature from Systems Manager > MDM > Settings > Samsung KNOX.
Along with restrictions, profiles can contain a variety of settings. The following categories of settings are available:
This document will not cover all of the settings available but will provide examples of how some of these settings can be used in an education environment. For further information about all the possible settings and how they can be used, please refer to our documentation here.
Systems Manager can provision the WiFi and network settings of a device in two ways: Manually, or automatic with an existing Meraki wireless network. In a manual configuration, the relevant information for the connection is manually entered. This would include information such as the SSID, selection of the security settings, certificate, pre-shared key, etc.
Alternatively, when a Meraki Wireless Network exists in the same organization as Systems Manager, this information can be automatically imported. By choosing “Sentry” in the interface, the necessary information is injected into the settings:
Dashboard > MDM > Settings > WiFi
With AirPlay configuration in Systems Manager, devices can be pre-provisioned with the connection details for AirPlay devices. This can be a great way to secure Apple TV and other AirPlay resources from students, while ensuring that teacher’s devices have all the information required to connect. This allows teachers to spend more time running the class and less time finding the right device to connect to and inputting the appropriate password.
Dashboard > MDM > Settings > AirPlay
Systems Manager can also be customized to only list specific AirPlay devices, allowing for restricted student access to these resources.
The Backpack feature in Systems Manager allows content to be delivered to devices automatically. This ensures that when the class starts students will already have the content they need, so the teacher doesn't need to wait for them to download it.
Dashboard > MDM > Settings > Backpack
Class or grade-specific content can be sent to devices based on how that particular device is being used. Backpack can be used to deliver items like homework, lesson plans, study guides, or handbooks. For further detail on how to configure backpack, please visit the following documentation article here.
The Teacher’s Assistant functionality within Systems Manager allows you to give restricted administrative access to users, like teachers, to better utilize technology within the classroom. Teacher’s Assistant is built on limited access roles, which allows you to give an administrator access to specific devices only, based on tags. The tags can be any of the static or dynamic tags used in dashboard. For example, you could give access to iOS devices, with a “student” and “science” tag, during 3rd period.
Teacher’s Assistant gives educators the ability to manage student devices while in the classroom. They can do things like clear passcodes, initiate airplay, lock devices into single app mode for the duration of an exercise, and distribute backpack documents.
This guide is meant to provide guidance on a small selection of features and functionality within Systems Manager, and is not a comprehensive guide to every education deployment or use case. It is highly recommended that a list of user profiles and requirements are developed prior to deployment. This way, parameters can be iteratively adjusted to meet different use cases, based on real world experience.